Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2015 > October
2015

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

07. MSSQL 2012

 

Once you run the installer, you will be greeted with this window.

At the left pane, click on "Installation".

Now, at the right pane click "New SQL Server stand-alone installation or add features to an existing installation".

Note the warnings.

1. It is not recommended to install SQL server on a domain controller

2. SQL Server ports need to be opened in the firewall, or just disable the firewall.

 

At Windows Firewall, select "Advanced settings".

Click on the "Inbound Rules"

Click on "New Rule" at the right pane.

Select "Port"

Enter "1433"

Select "Allow the connection"

You can select all network locations but only domain network is connected at the moment so at minimum "Domain" need to be selected.

Enter name and click "Finish" to active this rule.

 

You can also do the same via command-line.

netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN

 

Going back to SQL Installation

Click Next.

You only need to select the followings.

* Datebase Engine Services

* Management Tools - Complete

Select "Mixed Mode" and enter password.

Also, click "Add Current User" to add "SSO\Administrator" user just in case if you forget the "sa" password.

SQL Server Installation is now complete.

From "Start" menu, click "SQL Server Management Studio".

Logon as "sa" user and previously specified password.

Now that you are logged on as "sa", it is your world.

 

 

08. JDK 1.7.0_80 (32bit and 64bit)

 

You don't actually need to *install* the 64bit JDK.

You can copy them from another machine that is already installed.

This 64bit JDK will be be used for ServletExec.

You can still use 32bit JDK for ServletExec but because on Windows when you install WA and WAOP on the same machine, they need to be same bit level.

As I will be installing 64bit WA for IIS, 64bit WAOP will be installed as well.

NewAtlanta does not have the logic to lookup the WOW64 registry so if you only have 32bit JDK, it will not recognize it.

If you do not plan to install 64bit JDK, you will need to export the registry from WOW64 and modify/import it for 64bit area.

Then NewAtlanta can be installed.

 

In this case, I will be installing 64bit (WAOP) and 32bit (PS) JDK.

Install both of them to default installation folder.

 

 

09. NewAtlanta ServletExec 6.0

 

NewAtlanta ServletExec installer binary can be found in the policy server binary zip file.

For example, "ps-12.52-sp1-cr02-win32.zip/thirdparty-tools/servlet-engine-6.0/win32/ServletExec_AS_60a.exe"

Serial number can be found in "ps-12.52-sp1-cr02-win32.zip/thirdparty-tools/servlet-engine-6.0/ServletExec AS 6 license key.txt"

This license is only for SiteMinder Password Services and SiteMinder Federation Web Services.

 

Please note that you cannot use special characters for password.

 

It is installed in the following folder. (C:\Program Files\New Atlanta\ServletExec AS)

The instance that you created during installation is in "se-testmc1" folder.

"se-testmc1" folder has the StartServletExec.bat and "StopServletExec.bat

Those script has the environment variable set locally so if anything need to be modified, you should take a look at the StartServletExec.bat file.

 

It is also registered as a service named "ServletExec-testmc1" and it is started up automatically after installation.

 

As ServletExec is a plugin to a Web Server, you need access it via your web server url.

http://www.sso.lab/servletexec/admin

Logon as "admin" user.

When you logon the first time, it will show that it is running in "Development Mode".

Click on the "License" at the left pane.

 

Now the ServletExec is running in Production mode.

 

One tip, "http://www.sso.lab/servlet/TestServlet" is a test page where it dumps all the headers which can be handy when you want to check what header is set and which cookies are submitted.

This concludes Part 3 of ALL IN ONE Image.

This is continued from "Creating an ALL-IN-ONE VM Image - Part 1"

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

05. IIS

Actually, Installing IIS and Configuring Certificate Services are performed at the same time.

 

Load the "Server Manager" and select "Add Roles"

SharePoint_106.jpg

SharePoint_107.jpg

SharePoint_110.jpg

Select "Web Server (IIS)" and "Active Directory Certificate Services".

 

 

06. Certificate Authority

 

SharePoint_111.jpg

SharePoint_112.jpg

Select "Certification Authority Web Enrollment" and "Online Responder".

It will ask for Role Services components to select. Click "Add Required Role Services".

SharePoint_113.jpg

SharePoint_114.jpg

SharePoint_115.jpg

SharePoint_116.jpg

SharePoint_117.jpg

SharePoint_119.jpg

By default, "SHA-1" is selected for the hash algorithm but I am choosing SHA256.

SharePoint_120.jpg

I am naming this ROOTCA as "TESTLABCA".

SharePoint_121.jpg

Setting the Validity of this ROOTCA to 35 years.

SharePoint_122.jpg

SharePoint_123.jpg

SharePoint_124.jpg

In order to configure WebAgent, following components need to be selected.

  • ASP.NET
  • CGI
  • ISAPI Extensions
  • ISAPI Filters
  • IIS Management Console
  • Windows Authentication (for the CA SiteMinder® Windows Authentication Scheme)

SharePoint_125.jpg

SharePoint_126.jpg

SharePoint_127.jpg

SharePoint_128.jpg

You should see those roles listed in the Server Manager.

 

Testing the web site to see if it is serving requests fine.

In this case, I copied my sample index.asp pages and set "index.asp" as default document in IIS.

SharePoint_129.jpg

 

Now, trying the http://www.sso.lab/certsrv/ to see if the certificate authority works as well.

SharePoint_130.jpg

SharePoint_132.jpg

It did not work using www.sso.lab but it works with testmc1.sso.lab hostname.

 

SharePoint_131.jpg

 

The reason is because of the kerberos ServicePrincipalName is not matching so it is unable to Authenticate the user.

Run the following command to register "www.sso.lab"

SharePoint_133.jpg

Now the Certificate Services can be accessed via "http://www.sso.lab/certsrv".

SharePoint_134.jpg

 

Going back to IIS configuration, I want to limit IIS from listening on port 80 on every IP address.

This will conflict with other web servers that need to listen on port 80 as well.

 

As such, I need to force IIS to listen on specific IP only.

By default, "netsh http show iplisten" will show no IP address and that means it is not configured to listen on specific IP.

SharePoint_135.jpg

This will make it listen on 0.0.0.0 so it need to listen on specific IP address.

SharePoint_137.jpg

As you can see from above, I have set IIS to listen on 192.168.201.101 only.

So, when I run netstat, it shows it actually listen on 192.168.201.101:80 only and not 0.0.0.0:80.

 

 

This concludes Part 2 of ALL IN ONE Image.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

01. Install OS (Windows 2008 R2 - English)

 

HDD is 80GB

RAM is 6GB

Named the host as "TESTMC1" and reboot.

 

02. Microsoft Loopback Adapter

 

Run "hdwwiz" and follow the steps below.

 

Assign static IP to those adapters.

 

IP: 192.168.201.101

Subnet: 255.255.255.0

DNS: 127.0.0.1

 

IP: 192.168.201.102

Subnet: 255.255.255.0

DNS: 127.0.0.1

 

IP: 192.168.201.103

Subnet: 255.255.255.0

DNS: 127.0.0.1

 

IP: 192.168.201.104

Subnet: 255.255.255.0

DNS: 127.0.0.1

 

The Bridged one can be DHCP.

 

 

03. Active Directory

 

Promote to Domain Controller and reboot.

NETBIOS Name: SSO

Domain: sso.lab

Functionality Level: Windows 2008 R2

 

 

04. DNS

 

Create ReverseDNS Lookup Zones.

 

Add entries to "Forward Lookup Zones".

Select "New Host" entry.

 

You have now created a host entry for "www.sso.lab".

Repeat the same steps for the other host names as below.

cadir.sso.lab     192.168.201.102

mssql.sso.lab   192.168.201.103

 

Create a new "Forward Lookup Zone" called. "partner.lab".

 

 

Create new host entry in the "partner.lab" zone.

 

 

Check the "Reverse Lookup Zones" to see if all the entries are mapped to the desired IP address.

It would be pointing to the default "testmc1" entry so it need to be re-mapped.

 

Disable Automatic Updates to DNS entries. Otherwise, all the records can be updated with the physical hostname every time you reboot.

 

Right click on the zone and select "Properties"

At "Dynamic updates", select "None".

 

Forward Lookup Zones are okay as the manually entered ones will remain unchanged.

But you can still set it not to update dynamically. This is optional.

In case if you need to add more hostnames or IP address, please repeat the steps above.

The reason I am using separate IP with loopback adapters is to make it look more realistic, for example when you run netstat it will show different IP for different services which is easier to understand.

However, using this loopback adapter has its limitations, for example, you can only perform tests involving servers listening on those loopback adapters on this machine only. You won't be able to test remotely as your external client will not be able to resolve those DNS names or access the IP address.

 

 

This concludes Part 1 of ALL IN ONE Image.

I found during this article that there is a limit of 50 photos in each article so I am splitting contents to multiple posts.

This is a follow up article from Installing SharePoint Server 2013 on Windows 2008 R2

Before we continue, if the system memory is less than 4GB, it is highly advisable to increase it to minimum of 4GB and reboot. 10GB Recommended if at all possible.

Otherwise it would be too slow. (Even with 4GB is way below recommendation and you will experience very frequent CPU spike, even when you are not doing anything, not to mention when you are actually trying to do something)

 

 

Click on "Start" button and

Click on "SharePoint 2013 Products Configuration Wizard"

Click "Next".

Click "Yes".

Click on "Finish".

You will experience high CPU for a while as a default sharepoint server instance is configured.

Once the instance is configured, IE will open and challenge you to login.

Now, this SharePoint, although it has joined the domain, only the local Administrator is the Admin for this instance.

You can see from above, that it is showing "Domain: SECURE". So, when you enter "Administrator" it is actually SECURE\Administrator.

You will need to enter "<HOSTNAME>\Administrator" to login as local Administrator.

Close this browser (as the credential is now cached) and open http://sharepoint/ from a new browser session.

This time,enter "SHAREPOINT\Administrator".

You will now logon to sharepoint and following will be displayed.

And from above, you will see that the format of username is now different from earlier version of sharepoint. It now shows "0#.w|sharepoint\administrator".

This format will actually give you more hints from which user directory this user is from.

Select the default "Team Site" and click "OK" button to continue.

It won't take long but you will see the system is actually lack of resource.

By default, it says "Use an existing group".

You can actually create new groups, you need be prepared to give the group names and members.

I will select the default. Click "OK".

2015-10-14 17_02_32-SERVER42-SHAREPOINT on kimsu05-m4800.ca.com.png

To give users access to this site, click on "SHARE" button.

Add in the name of the users.

If you click on the "SHOW OPTIONS", you can actually choose whether they will be Members or Owners.

Select "Owners" and in the input box enter first or last name to get suggestions.

My name appeared so I will choose me to make me one of the Owners.

Click on "Share" to update the ownership.

 

 

Logout Administrator and try logging on as me.

 

Open a new browser and goto http://sharepoint/

 

Login as me.

If you logon as a user who is not part of Visitor, Member or Owners, you will get following message.

 

 

Next following article will be about creating a new site(Web Application)

This was the first APJ SiteMinder Office Hour (Chat) Session held on 2015-10-12.

Hosted by Karmeng

All other SMEs have joined as well.

Federation: Kelly and myself

APS and SDK : Ujwol

Application Server Agent : Kar Meng

SPS and SDK : Mark O'Donohue

Translation between Korean and English: myself

 

People from left to right.

Kent, Kar Meng, Kelly, myself, Ujwol. (photo taken by SDM Samuel Yii)

And Mark over the network.

20151012_135702.jpg

 

It was a fun event.

Will have more of APJ Office Hour events in the future.

This is actually to setup SharePoint Agent (CA Single Sign-On) and I need to setup SharePoint Server first.

 

My Windows Domain is "SECURE.LAB" and this SharePoint Server will be installed on a server named "SHAREPOINT".

Insert the installation media or mount the ISO.

 

SharePoint_001.jpg

 

Firstly, select "Install software prerequisites".

SharePoint_002.jpg

SharePoint_004.jpg

Accept the license and click "Next".

SharePoint_005.jpg

You must have internet to download all the pre-requisite packages.

Otherwise, you need to manually install these manually.

 

SharePoint_006.jpg

Before installing all the prerequisite packages, you will be asked to restart after installing the Windows Management Framework 3.0.

Click "Finish" to reboot.

SharePoint_007.jpg

After reboot, when you logon to the machine, it continues with the prerequisites installation.

SharePoint_008.jpg

Packages are installed. Click on "Finish" button. It will again reboot the machine.

SharePoint_009.jpg

After reboot and you logon, it continues the installation and should complete as below.

SharePoint_010.jpg

Once all the prerequisites are installed, run the installer again.

 

SharePoint_011.jpg

This time, select "Install SharePoint Server".

SharePoint_012.jpg

 

Enter your Product Key and click "Continue"

Accept the agreement and click "Continue".

Select the Server Type. "Complete" is chosen by default but I am switching to "Stand-alone" type. Click "Install Now".

At this point, sharepoint server 2013 installation is complete.

If you are like me, setting up on VMware, uncheck the "Run the SharePoint Products Configuration Wizard now." button and click "Close".

Shutdown the machine and take a snapshot of this image.

 

Following articles will follow next.

* Configuring SharePoint Server

* Setting up applications

* Installing SharePoint Agent

* Configuring SharePoint Agent

SungHoon_Kim

Deploying OVF Template

Posted by SungHoon_Kim Employee Oct 2, 2015

DEPLOYING OVF Template.

 

You should already have converted your VMWare Image to OVF stored locally.

 

From the vSphere Client, click on "File" ==> "Deploy OVF Template..."

ScreenHunter_122.jpg

ScreenHunter_123.jpg

 

ScreenHunter_124.jpg

ScreenHunter_125.jpg

ScreenHunter_126.jpg

ScreenHunter_127.jpg

ScreenHunter_128.jpg

ScreenHunter_130.jpg

ScreenHunter_131.jpg

ScreenHunter_132.jpg

At the moment (2015-10-02) there is no ControlMinder 12.9 for Windows. 12.8 is the latest.

 

DVD11133442E.iso (Thirdparty)

DVD11133325E.iso (ControlMinder 12.8)

 

Create a DB Instance for this installation. I created "PIM128" for this installation.

PIM_Install_007.jpg

 

Goto the server designated for ControlMinder installation and logon to server as local Administrator.

Then, mount the Thirdparty ISO.

PIM_Install_004.jpg

PIM_Install_005.jpg

On Windows, you just need to run the "PrereqInstaller" and it will install JDK and JBOSS (and also ask you to choose the service port for JBOSS ports and updates).

PIM_Install_008.jpg

PIM_Install_010.jpg

PIM_Install_011.jpg

PIM_Install_012.jpg

PIM_Install_014.jpg

PIM_Install_015.jpg

PIM_Install_016.jpg

PIM_Install_017.jpg

PIM_Install_018.jpg

PIM_Install_019.jpg

PIM_Install_020.jpg

PIM_Install_021.jpg

PIM_Install_022.jpg

Insert the DVD11133325E.iso

PIM_Install_023.jpg

Click on the "Done" button from the previous screen.

Ignore the error message asking for the previous DVD. Click "Continue" a few times and it will close.

PIM_Install_024.jpg

PIM_Install_025.jpg

PIM_Install_026.jpg

PIM_Install_027.jpg

Select "Primary Enterprise Management Server" as this is the first one.

PIM_Install_028.jpg

PIM_Install_029.jpg

PIM_Install_030.jpg

I entered "Siteminder1" as encryption key.

(All the EndPoints must use the same key during installation.)

PIM_Install_031.jpg

PIM_Install_032.jpg

PIM_Install_033.jpg

Choose "Active Directory" to allow AD users to logon to AdminUI.

PIM_Install_034.jpg

PIM_Install_035.jpg

PIM_Install_036.jpg

PIM_Install_037.jpg

PIM_Install_038.jpg

Click "Done" to reboot.

Logon to server and check taskmanager and wait till the CPU settles down.

PIM_Install_039.jpg

PIM_Install_040.jpg

If you see the ports starting, you should be able to get the AdminUI page.

http://PIM-01.SECURE.LAB:18080/iam/ac

Logon as AD user.

(You will be promoted to add this site to trusted site)

PIM_Install_041.jpg

PIM_Install_042.jpg

PIM_Install_043.jpg

 

Congratulations!

 

Thanks to GwanYu_Kim for his help in making this and the 12.9 on linux successful.

If you are federating and sending lots of user attributes over to your federation partners, you might have encountered an issue generating assertion and must have been led to modify the "<PS>/config/properties/EntitlementGenerator.properties" file to increase the default buffer size from 1024 to a higher value.

 

Original EntitlementGenerator.properties file below.

# This file contains any properties required for federation

 

 

# This indicates the maximum attribute length that will

# used for WS-FED, SAML2.0, SAML1.x assertion attributes

com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024

com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024

com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024

 

Since the default buffer size(1024 bytes) was not sufficient and want to raise it higher but you don't want to keep modifying this frequently.

You might be thinking, maybe I should raise it to a sufficiently higher value so I will not have to modify this anymore.

 

Then the question, what is the highest value that I can set?

Document only says it can be raised but did not say what is the threshold.

 

Based on code, the value is integer.

So, it will have the following range.

From "-2,147,483,648" to "2,147,483,647"


Now, who dares to set this max value?

This is a step by step procedure to install PIM 12.9 on RHEL 6.6

 

Follow the instruction on "CA ControlMinder Implementation Guide" "Chapter 3. Installing the Enterprise Management Server"


1. Mount the 3rd party ISO(DVD04091143E.iso)

2. "# uname -m" to determine the OS architecture (to determine if you should 32bit or 64bit jdk)

3. Install jdk from the matching architecture folder. (It will be installed to /usr/java/jdk1.7.0_71)

1.png

 

4. Create /etc/profile.d/java.sh

  export PATH=/usr/java/jdk1.7.0_71/bin:$PATH:

5. Extract JBOSS

  • cd /opt/
  • unzip jboss-4.2.3.GA.zip

6. Configure JBOSS (to prevent port conflict with tomcat which will be installed later)

  • /opt/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml (Modify the port 8080 to 18080 and 8443 to 18443)

2.png

3.png

 

  • /opt/jboss-4.2.3.GA/server/default/conf/jboss-minimal.xml

4.png

5.png

 

  • /opt/jboss-4.2.3.GA/server/default/conf/jboss-service.xml

6.png

7.png

 

7. Configure the JBOSS to startup automatically (https://community.jboss.org/wiki/startjbossonbootwithlinux)

It is better to copy the following content in the box and paste in the vi. If you manually type, the quotes can cause problem.


# vi /etc/rc.d/init.d/jboss

#! /bin/sh

start(){

     echo "Starting jboss.."

     /opt/jboss-4.2.3.GA/bin/run.sh > /dev/null 2> /dev/null &

}

stop(){

     echo "Stopping jboss.."

     /opt/jboss-4.2.3.GA/bin/shutdown.sh -S &

}

restart(){

     stop

     sleep 60

     killall java

     start

}

case "$1" in

 

  start)

        start

        ;;

  stop)

        stop

        ;;

  restart)

        restart

        ;;

  *)

        echo "Usage: jboss {start|stop|restart}"

        exit 1

esac

 

exit 0

# ln -s /etc/rc.d/init.d/jboss /etc/rc3.d/S84jboss


8. Set the ulimit to 10000 to prevent error during installation (# ulimit -n 10000)


9. Install pre-requisite rpm packages

# yum install -y ld-linux.so.2 libICE.so.6 libSM.so.6 libX11.so.6 libXext.so.6 libXp.so.6 libXt.so.6 libc.so.6 libcrypt.so.1 libdl.so.2 libgcc_s.so.1 libm.so.6 libncurses.so.5 libnsl.so.1 libpam.so.0 libpthread.so.0 libresolv.so.2 libstdc++.so.5 libaudit.so.1 ksh dos2unix libgcc_s.so.1 libpthread.so.0 libstdc++.so.6 rpm-build freerdp-libs freerdp
8.png
====================Pre-requisites satisfied=======================



10. Reboot the machine and see if jboss started up fine. (Check if the jboss service script ran fine)


11. Shutdown jboss


12. Mount the ControlMinder Enterprise Manager ISO(DVD04090913E.iso).


13. Open an SSH terminal (do not run the installer from GUI as it will get stuck with high cpu)


14. Install PIM 12.9 from the DVD/ISO

# /media/CA_CM_PS_12_90_L/EnterpriseMgmt/Disk1/InstData/NoVM/install_EntM.bin -i console

9.png

10.png

11.png

12.png

13.png

14.png

15.png

16.png

Entered "Siteminder1"

17.png

You need to have a DB instance ready at this point.

You do not need to manually import any schema, the installer does everything for you.

18.png

19.png

20.png

21.png

22.png

23.png


15. Reboot and test login to http://<server>.<domain>:18080/iam/ac


16. Login as administrator (AD User)

24.png

25.png

 

Congratulation!